Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222947 | TCAT-AS-000380 | SV-222947r960936_rule | CCI-000164 | medium |
| Description | ||||
| Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the group Tomcat. While root has read/write privileges, tomcat group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-9
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.3.8
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000164
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-222947r960936_chk)
Access the Tomcat server from the command line and execute the following OS command:
sudo find $CATALINA_HOME/bin/*jar -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls
If there are no results, or if .sh extensions are found, this is not a finding.
If results indicate any of the jar file permissions contained in the $CATALINA_HOME/bin folder are not set to 640, this is a finding.
Fix Text (F-24608r426286_fix)
Run the following command on the Tomcat server:
sudo find $CATALINA_HOME/bin/*jar -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_HOME/bin/*jar